About an hour ago I received an email message claiming to be from Github stating:
A security vulnerability was recently discovered that made it possible for an attacker to add new SSH keys to arbitrary GitHub user accounts. This would have provided an attacker with clone/pull access to repositories with read permissions, and clone/pull/push access to repositories with write permissions. As of 5:53 PM UTC on Sunday, March 4th the vulnerability no longer exists.
While no known malicious activity has been reported, we are taking additional precautions by forcing an audit of all existing SSH keys.
Thunderbird has flagged it as a scam, though it looks very credible, but the email header is a bit flaky as the email has not come from a GitHub server:
X-Original-To: firstname.lastname@example.org Delivered-To: email@example.com Received: from o3.newslettergrid.com (o3.newslettergrid.com [126.96.36.199]) by webmail.thecentreground.com (Postfix) with SMTP id 90FE4BAC449 for <firstname.lastname@example.org>; Wed, 7 Mar 2012 18:21:49 +0000 (GMT)
The worrying thing is that there is nothing on the github site itself to say if it is genuine or indeed a scam.
Right now I am not acting on the message.